Many software security vulnerabilities originate in errors committed by software developers. Interactive development tools can assist in developing more secure software, but they must reflect an in-depth understanding of how and why developers produce security bugs.
US researchers at the University of North Carolina at Charlotte conducted semi-structured interviews of 15 professional software developers to discover their perceptions and behaviors related to software security. The results revealed a disconnect between the developers’ conceptual understanding of security and their attitudes regarding their personal responsibility and security practices.
“Many common software security vulnerabilities can be prevented with relatively simple code practices,” said Jing Xie, coauthor with Heather Lipford and Bill Chu of a paper reporting the results. “Yet, if developers rely on other people, processes, or technology to handle software security, they may inadvertently introduce errors that cost the organization time and effort to later find and fix.”
The paper, “Why Do Programmers Make Security Errors?” has been accepted for presentation at the IEEE Symposium on Visual Languages and Human-Centric Computing (VLHCC 11), to be held 18–22 September in Pittsburgh. The website for the conference is http://www.cs.cmu.edu/~vlhcc2011.